The 43 year old SS7 protocol is used by most of the world’s mobile carriers and isn’t going anywhere soon, which means mobile service providers need to not only be aware of its potential vulnerabilities but urgently act to address them. If they don’t, they risk embarrassing press stories which will become impossible to control if consumers are affected, and the loss of lucrative business from verticals such as financial services.

SS7 vulnerabilities are not a flaw

Possibly the most concerning aspect of SS7’s vulnerability is that it’s not a flaw that’s being exploited but a designed-in feature dating from when the protocol was first developed (in a very different market to today).

Back then, carriers operated in a cosy club where everyone knew one another and, more importantly, trusted one another. The closed nature of this club is what kept things safe. However, since the 1970s the industry has opened up to increased competition, with more and more players connecting to our mobile infrastructure. Good for business? Yes. Good for competition? Yes. Good for security? Sadly no.

What is SS7?

SS7 is a protocol that allows information to be exchanged so that calls and text messages can be passed between networks, ensure correct billing and enable roaming. It can also enable service providers to locate a customer’s phone, which is information they can provide to third parties for a fee (eg banks may use this information as an anti-fraud measure).

Why is SS7 vulnerable?

SS7 was not designed with adequate authentication safeguards, which means if cybercriminals gain access to the control channel they can spoof a phone to track its location, read or redirect texts, or listen to calls. Neither is 4G immune,  because Diameter, the protocol that supports it, has similar vulnerabilities to SS7 and carriers are already experiencing explorative attacks on 4G.

How is SS7 being exploited?

Positive Technologies says that 100% of SS7-based SMS interception attacks in EMEA networks between 2016 and 2017 were successful. The company comments that of the 24 service providers it worked with, almost none could prevent eavesdropping on conversations and the reading of incoming text messages. Fraud was possible on 78% percent of these networks and the company points out that the use of SMS for two-factor authentication means that hackers can go on to compromise accounts for online banks, stores and government services.

Although carriers are reluctant to talk about such attacks, in May 2017 O2-Telefonica in Germany went public and confirmed that some of its customers had had their accounts emptied using a two-stage attack that exploited SS7 vulnerabilities to intercept two-factor authentication codes sent to online banking customers.

And in May 2018, US Senator Ron Wyden revealed that a US mobile provider had been breached. “One of the major wireless carriers informed my office that it reported an SS7 breach, in which customer data was accessed, to law enforcement through the government’s Customer Proprietary Network Information (CPNI) Reporting Portal,” he wrote in a letter to the FCC.

Incentivising the hackers to try harder

Service providers are trying to work backwards to tackle security problems with SS7 and Diameter, with some success, but things are just about to get far worse. Visa announced in July 2018 that online shoppers will soon have to enter a one-time passcode sent via text for certain transactions. This will replace the Verified by Visa system that is currently being used. But relying on SMS as an authentication channel will simply incentivise more hackers to probe SS7’s vulnerabilities.

What’s at stake is considerable business with B2B customers who have identified SMS as a convenient and easy way to authenticate customers or transactions.

But what can be done to preserve the reputation of B2B providers and keep hold of this business? Paul Gill, CEO, Evolved Intelligence says his company is working closely with industry bodies such as the GSMA, ETSI and 3GPP to help define and develop improved interconnect security for next generation 5G networks.

“Meanwhile it’s vital that operators deploy effective firewalls to manage and block malicious signalling going in and out of their networks,” comments Gill. “Protecting the network and subscribers from fraud, breaches of privacy and spam is now a paramount concern.  Firewalls are needed to halt lost revenue, prevent fines from regulators and avoid claims in damages from consumers.  Any of those issues also have negative consequences for brand reputation, consumer loyalty and overall business value”.

Gill says two of Europe’s tier 1 mobile operator groups are now deploying Evolved Intelligence’s fraud and security firewalls to secure the signalling of their networks in more than 30 territories. “The value being placed on network security is certainly growing,” he comments “but there’s still a long way to go.”

Posted by Teresa Cottam

Teresa helps B2B service providers improve their commercial results and the customer experience they deliver through research, insight and analysis that builds effective strategy. She is a judge of the GSMA GloMo's for customer experience and enterprise innovation, and for the UK Cloud awards. You can follow her on Twitter @teresacottam

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s